Fixed/mobile convergence (FMC) networks represent a new paradigm in virtually every aspect of service provider networks: number of registered users, connected devices, applications/services, and active sessions. Equipped with a new generation of dual mode cellular-WiFi (News - Alert) handsets, FMC service users will get better reception in the home and office, where it was once spotty, plus a new range of multimedia services delivered to their mobile devices.
The new paradigm not only represents larger scale networks, it also opens carriersï¿½ once-closed networks to the Internet and the full range of security risks. Further distancing itself from previous network architectures ï¿½ in which security was an afterthought ï¿½ FMC networking standards have security built into their specifications.
As carriers plan to build their Third Generation Partnership Program (3GPP) standards-compliant IP Multimedia Subsystem (News - Alert) (IMS) and Unlicensed Mobile Access (UMA) next-gen networks, they must look for an appropriate next-gen solution that not just meets but exceeds the standards-specified level of security.
New Security Paradigm: Beyond VoIP Networks
VoIP landline networks ï¿½ hailed within recent memory as next-generation ï¿½ will be eclipsed by FMC networksï¿½ order of magnitude higher dimensions and broader range of security threats.
This defines a set of new parameters for network security:
ï¿½ While VoIP fixed networks are all about Session Initiation Protocol (News - Alert) (SIP) and SIP services, FMC networks (e.g., IMS) offer VoIP plus multimedia services. Therefore, FMC services extend beyond SIP-based services to include the full range of IP protocol (HTTP, RTSP, etc.) based services ï¿½ all of which must be protected.
ï¿½ Multiple layers of protection (i.e., security functions) are necessary. Beyond protecting the SIP control plane and its underlying protocols (TCP, IP, Ethernet), the payload (i.e., media plane) must be guarded from the full range of security risks: denial of service attacks, malformed packets, viruses, SIP session hijacking, RTP attacks, etc.
ï¿½ End-to-end security is essential. Beyond protecting the user device and FMC WiFi access (the ï¿½new last mileï¿½), the rest of the network infrastructure (IP core network and application servers) is now laid bare to the Internet and must be guarded.
ï¿½ The full range of security functions (denial of service, intrusion protection, bandwidth theft prevention, etc.) must be processed on every packet that traverses the network without impacting the performance and quality of service. This requires higher performance and more scalable security systems than ever before.
These FMC requirements challenge the previous generation of security devices: session border controllers (SBCs), which were originally designed as SIP proxy devices. Their security functions are focused on SIP control plane security, and include add-on features such as network address translation/traversal for separate, attached firewalls.
SBCs were also designed for handling lower volumes of users and sessions that FMC networks require. The most dramatic illustration of this is how SBCs address fixed-line VoIP network scaling:
ï¿½ SBCs employ a 20 users to 1 active session oversubscription model (i.e., 100 users, five active VoIP sessions).
ï¿½ FMC requires a one user to X active subscription model (i.e., 100 users, an average minimum of 500 active IMS sessions).
FMC network users will have multiple devices (laptop, mobile phone, desk phone, etc.) simultaneously registered and multiple active application sessions (VoIP, instant messaging, presence, IPTV (News - Alert) or video messaging, and/or gaming).
Tiered Security is Required Across the FMC Network Domains
Access control lists, stateful firewalls, SIP firewalls, network address translation, denial of service attack prevention, secure authentication, encryption, and lawful intercept are all part of the FMC security architecture and must be fully supported by an FMC security platform.
The 3GPP IMS standard specifies a security platform for isolating the Call Session Control Function from malicious attacks, allowing the CSCF to focus on its core functions: call termination and control. The standard also specifies IPsec data encryption and integrity for user device access.
However, to thoroughly protect the entire FMC infrastructure, a broader portfolio of tiered security functions must be applied on each packet in the traffic flow:
ï¿½ First: the connection between the end-users and the network service needs a rich IPsec implementation (including IKEv1/IKEv2, transport/tunnel mode, DES/3DES/AES and SHA-1/MD-5) to authenticate users, giving them access into the service network, and to encrypt/decrypt the traffic for privacy across the access medium.
ï¿½ Second: each packet must be evaluated for global security threats (including IP denial of service and malicious URL filtering), and a stateful firewall must be used to block known attacks and enforce policies that limit the applications that can access the carrier network from the Internet.
ï¿½ Third: each packet is evaluated based upon the mobile station or endpoint requesting the services to determine if the user is authenticated, has access to media services, has exceeded his bandwidth, is sending malicious code, etc.
ï¿½ Fourth: each packet must also be evaluated again using the same security operations performed for the mobile stations, this time based on policies specific to the application server being accessed (e.g., allow only a certain number of concurrent sessions to prevent a denial of service attack).
ï¿½ Fifth: each packet is subjected to a wiretap at each security evaluation point and may be mirrored to a law enforcement agency.
Security Device Architectures
The fundamental challenge for FMC security devices is the ability to apply packet processing to the full range of multimedia services concurrently ï¿½ without introducing performance-impacting latency or jitter and without sacrificing security feature scalability for the sake of simultaneous services.
Next-generation devices (i.e., security gateways) are designed with a processing pipeline that utilizes a combination of high-speed ASICs and programmable network processors to yield maximum packet processing performance while applying the full range of security features to each packet.
This security gateway (SeGW) architecture is based upon specific ASICs for delivering scalable IPsec tunnel performance, deep packet inspection, subscriber/application identification, quality of service and detailed statistics ï¿½ all functions that limit the performance and scale of legacy security systems (i.e., SBCs with add-on features as well as routers with conventional add-on blades). SeGW network processors are reserved for packet forwarding and header manipulation with a performance budget to concurrently support all of the security services offered by the platform. This ensures predictable performance even when multiple security services are activated on the platform. Finally, the SeGW processing pipeline contains a dedicated high-performance processor for assisting and offloading the stateful analysis of SIP control traffic.
Conversely, SBCs have been built with general-purpose processors or a combination of network processors and a security coprocessor. This legacy architecture lacks a coherent, secure packet-forwarding pipeline and cannot sustain peak performance at scale when multiple functions are enabled. In other words, as more security functions are turned on, SBC packet processing performance degrades.
In addition, none of the SBCs on the market today were originally designed as comprehensive, multisecurity feature devices, instead they have focused on call processing and proxy services for solving the Firewall/NAT complications introduced by SIP for VoIP. The SBCï¿½s proxy-based architecture is fundamentally different from the SeGWï¿½s transparent security architecture. Consequently, SBC architecture isnï¿½t robust enough to meet the multifunction security services and scalability realities of 3GPP FMC networks (e.g., IMS and UMA).
Security Architecture Scalability and Economics
FMC security devices must scale to support millions of subscribers and devices (e.g., mobile handhelds, wireless laptops, corporate or personal computers and enterprise-based IP PBXs). In an FMC (e.g., IMS) voice application, a single user may have multiple devices attached to the network simultaneously (e.g., mobile, home and office phones, and possibly, a PC ï¿½soft phoneï¿½).
All these devices must be concurrently registered as ï¿½connectedï¿½ to the network and have secure connections; so when an incoming call rings for the user, the IMS network can use its intelligence to ring one or all of these devices. This requires continuous security device as well as network core resources. Other FMC applications, such as instant messaging (which is always-on) and dual mode (cellular-to-WiFi) on-off/on-again registration also significantly add to the security deviceï¿½s scalability requirements.
Unlike the SeGWï¿½s transparent architecture that can scale through the use of a customized security pipeline and custom ASICs, an SBCï¿½s proxy architecture was never designed to accommodate the scale required in FMC architectures. Although SBCs are adept at call processing, the fact that they were designed for massively oversubscribed deployments makes meeting the challenge of scale a difficult proposition. In contrast, the SeGWï¿½s highly scalable, transparent architecture is designed for FMC networks ï¿½ in which all users will have several concurrent active sessions.
Proxy architecture deployments include early proxy firewalls and the current generation of SSL VPN solutions ï¿½ all limited in scale to several thousand users per system. Proxy architectures suffer from their need to terminate the original user session, then regenerate the session with the necessary security inspection and modifications. Since a proxy device must first terminate traffic, this translates into a minimum of two sessions for every user. In the case of SIP IMS deployments, an average of five or more media sessions per subscriber is expected.
The challenge of scale represents a significant problem for the proxy architecture, as it taxes hardware and quickly reduces scalability by at least a factor of two, requiring many more SBCs than SeGWs to handle FMC. To scale, SBCs must add blades and/or load-balance multiple chassis. This architectural model introduces significant reliability, CAPEX and OPEX, power consumption and space issues contrary to service provider economics and IMS business (e.g., ROI) models.
After Looking Under the Hood
Session border controllers were designed to function as SIP proxy devices and not as transparent, high-performance, highly scalable multisecurity feature solutions for FMC networks. Now a new generation of devices has emerged for FMC networks: security gateways, with a comprehensive security feature portfolio and a transparent architecture for processing them without trading off security, performance, quality of service or cost efficiencies. IT
Cam Cullen is vice president of product management at Reef Point Systems. For more information, please visit the company online at www.reefpoint.com.
If you are interested in purchasing reprints of this article (in either print or PDF format), please visit Reprint Management Services online at www.reprintbuyer.com or contact a representative via e-mail at firstname.lastname@example.org or by phone at 800-290-5460.